7.1.1 Introduction¶
The MUNINN network sensor produces several different types of notifications when specific patterns of network traffic is observed. This page goes into detail for every type of notification and explains:
-
What causes this type of notification, both benign and malicious.
-
What risks are posed
-
What actions can be taken to mitigate risks and reduce noise
7.1.2 Categories¶
7.1.2.1 SSH Password Guessing¶
Password guessing notices arise when at least 5 SSH trials connection failures.
7.1.2.1.1 Benign causes¶
A script using ssh to execute a remote task, may retry quickly and multiple times after failed login if it is not configured properly.
7.1.2.1.1.1 Mitigation¶
Make sure any scripts using ssh implements a backoff strategy when login is failing. i.e. retry after 1 second after 1 failed login, 5 second after 2, 10 after 3 etc.
This also prevents so-called hammering.
Secondly investigate what is causing the failed login, such as deleted users, changed sshd_config, changed passwords etc.
7.1.2.1.2 Malicious causes¶
An active is attacker trying to break into systems by brute forcing passwords. Attacks are very common against web sites and web servers. They are one of the most common vectors used to compromise web sites. The process is very simple and the attackers basically try multiple combinations of usernames and passwords until they find one that works.
This scenario is very serious if the attacked machine is not publicly available. If however the machine is has a public IP, one has to expect random ssh attacks and secure it accordingly.
7.1.2.1.2.1 Mitigation¶
7.1.2.1.2.2 Public host
-
Filter by IP who can get to your SSH.
-
Reconfigure your SSH to only use password protected SSH keys and not permit plain passwords anymore
-
Use hard to guess usernames.
-
Move your SSH off port 22, it would make hard to detect ssh services
If you are confident that the server has secure sshd configuration you can safely whitelist SSH Password guessing for this particular machine.
7.1.2.2 Traceroute detected¶
Detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets.
Tracerouting works by sending an ICMP packet with short TTL. When TTL is reached the last router/device touched will send
a response back to originator instead of forwarding the packet.
By slowly increasing TTL until the packet reaches the final destination, all hops along the way will have responded at some
point allowing the originator to map out the route to the destination.+
there are also other traceroute techniques but are based on the same principles. Traceroute techniques are employed by network diagnostic tools but could be used by other purposes.
7.1.2.2.1 Benign causes¶
Someone may be trying to figure out how a machine is connected to the internet. For example to find out if the connection is being NAT’ed.
7.1.2.2.1.1 Mitigation¶
Ask person whether this activity is necessary and/or legitimate.
7.1.2.2.2 Malicious causes¶
Sophisticated cyber attackers need to gather as much information about their target as possible Traceroute is used in the reconnaissance phase of cyber attacks to map target networks and to discover possible attack vectors.
7.1.2.3 SQL Injection detected¶
SQL injection is a way of tricking a SQL server to perform a database query that the creator of a web-site did not intend.
This is done by manipulating form parameters to include complete queries, in what was supposed to be a value inserted into
an existing query. By inspecting HTTP parameters and frequency of requests a notification may be created if it looks
like someone is employing this technique.
7.1.2.3.1 Malicious causes¶
SQL injection is one type of web hacking that requires nothing but port 80 and it might just work even in an up to date patched system.
An attacker may be probing a web site to find poorly coded backends, that could be tricked to give up data that the user should not be able to access.
7.1.2.3.1.1 Mitigation¶
-
Audit web application code (look for unescaped input from http parameters), employ a web scanner such as http://sqlmap.org/
-
patch server
-
Remove unnecessary accounts
7.1.2.4 DNS Tunneling¶
Anomalous DNS queries was observed. Queries that are larger than 512bytes of packet lenght and queries with names larger than 90 characteres are considered abnormal. When those query types are detected more than 5times in a period of 2minutes a DNS Tunnel could be ongoing
All kind of different services, like web browsing, email, active directory, etc., use the Domain Name System (DNS) protocol to turn IP addresses into human readable names and vice versa. The request and responses are just domains and ip adresses, therefore these packets are usually very small in size.
7.1.2.4.0.1 Malicious causes¶
Someone is using DNS ports to transfer data rather than doing name lookup. This is a popular way of exfiltrating data since DNS ports are rarely blocked.
DNS tunneling is often used to get free Wi-Fi over publicly available hotspots where it’s not restricted, whereas normal data transfer is limited. DNS as a tunnel can be established while hiding data inside the DNS requests which then can be turned into real data on the destination DNS server. This can turn into a real threat when malicious software uses DNS to get data out of the company network, or even receive commands/updates from a command and control server.
7.1.2.4.0.2 Mitigation
-
Allow only your Internal DNS servers to send/receive DNS queries to the outside world. Filter DNS port 53 in firewall.
-
Enforce your clients workstations only use your internal authorized DNS servers.
-
Identify false positives some applications or discovery services could be detected as DNS tunneling.
7.1.2.5 Port Scan¶
A machine is sending packets to several ports on several hosts very quickly. If the machine is listening to the port, it may respond, thus revealing that a service is running using this port. Very often, the type of service running can be inferred from the port number. i.e response on port 80 indicates that the host is hosting an HTTP service.
7.1.2.5.0.1 Malicious causes¶
Similarly to traceroute port scanning is a Discovery tactic where the attacker may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
7.1.2.6 DNS Multiple Domain Not Found¶
multiple NXDOMAIN responses was sent by a DNS server to a querying host.
The NXDOMAIN is a DNS message type, received by the DNS resolver when a request to resolve a domain, is sent to the DNS and cannot be resolved to an IP address. A device may receive a NXDOMAIN response from the DNS for several reasons:
7.1.2.6.0.1 Benign causes¶
-
A user entered a domain with a typo when trying to visit a website
-
An application on the client is misconfigured. i.e. a ftp server that has moved to a new domain leaving ftp clients trying to resolve the server on the old domain.
-
Some antivirus software like McAfee and Kaspersky uses DNS queries and techniques to detect malware, thus could generate false positives.
7.1.2.6.0.3 Malicious causes¶
-
A web browser reaches out to random local domains on startup, hijacking.
-
A device is infected with a bot utilizing a domain generating algorithm (DGA) in order to participate in a botnet.
The reason you want to be monitoring DNS NXDOMAIN responses is because some forms of malware (largely bots) leverage domain generating algorithms (DGA) to try and reach the Command and Control (C&C). It is possible to see hundreds, and sometimes thousands, of requests per day being generated by the DGA utilized by the malware. Most randomly generated domains requested by an infected host will trigger an NXDOMAIN response from the DNS. If you monitor DNS NXDOMAIN requests and keep score per client, you can raise awareness of suspicious behaviors
7.1.2.6.0.4 Mitigation
-
Look into notification description and check to domains queries on it
-
Filter false positives, if mcafee domains are creating this notification, whitelist this domain
-
Test domains black listed or for having poor reputaion on https://www.virustotal.com or http://www.urlvoid.com/